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What  is  cyberwarfare? 


•  Attacks  against  adversary  using  computers  as 
weapons 

-And,  defense  against  such  attacks 

•  Goal  is  attack/defense  of  nation(s) 

-  Issues  are  scale,  capabilities,  willingness 
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Kinetic  versus  Cyber 


Attribute 

Kinetic 

Cyber 

Effects 

Variable  (largely  known, 
e.g.,  guns,  bombs) 

Variable  (largely 
unknown) 

Coverage 

Limited  by  materiel 

Global 

Speed 

Limited  by  transport 

Possibly  instantaneous 

Cost  (as  %GDP) 

Significant 

Insignificant 

Industrial  base  important? 

Yes 

No 

Attributable 

Yes,  at  scale 

Not  clear,  at  any  scale 

Example:  Estonia 


•  Affected  government,  banks,  newspapers 

•  Example  of  “Denial  of  Service”  attack 

•  If  you  depend  on  the  net 

-  Availability:  your  packets  get  through 

-  “Best  effort”  (IP  service)  not  enough 

-  1 M  machines  send  one  1  KB  packet/second 

•  8  Gbits/second  -  overwhelms  most  links 
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Attribution  (who  did  it?) 


•  Kinetic  weapons:  easy 

•  Internet:  source  addresses  not  needed  for 
routing,  anonymity  tools 
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Botnets 


•  Can  botnets  be  eliminated  at  the  host? 

-  Same  question  as  “can  hosts  be  made  secure” 

© 

•  Can  they  be  detected  and  defended  against? 

-  DDoS  major  threat 

•  We  demonstrate  detection  of  the  command  and 
control  is  hard 


11/4/09 


tltftoll 


a  i  Penn 

yy  Engineering 


ONR  MURI  Review 


Humanets 


•  Routing  via  smartphone  wireless  LAN  ports 

•  Could  do  epidemic  routing 

-  Overloads  network 

•  Smarter  use  of  smartphones 

-  Look  for  “promiscuous”  host ... 

-  That  is  also  likely  to  move  towards  destination 

•  Does  it  work? 
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Capture  data  from  G-1 
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Location  data  from  S.F.  Cabs 
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Are  locations  predictable? 
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It  works  pretty  well  on  the  data... 


0  500  1000  1500  2000  2500  3000  3500  4000  4500 


Latency  (minutes) 
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Impact? 


•  Completely  decentralized  C&C  net 

-  85%  delivery  in  12  hours 

•  Easy  to  use  for  botnet  or . . . 

-  Wherever  short  commands  are  enough 

•  Hard  to  detect  (you  have  to  be  local) 

•  Hard  to  block 
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Trust:  What  is  it? 


•  Trust  is  the  expectation  that  the  right  thing  will 
happen  for  the  right  person  at  the  right  time  and 
at  the  right  place 

•  Various  factors  can  increase  or  decrease  this 
expectation 

-  Unknowns  (and  unknowables?) 

-  Adversaries 

•  100%  and  0%  not  achievable,  but  how  close? 
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Reasoning  about  Trust 


•  Trust  is  often  based  on  transitive  trust 

- 1  trust  Alice  since  I  trust  Bob  and  Bob  trusts 
Alice 

•  But  degree  of  trust  is  more  subtle 

- 1  trust  Alice  less  than  Bob,  with  whom  I  vacation 
(i.e.,  my  knowledge  of  Bob  is  better,  and  direct) 

•  Trust  is  dynamic 

-  More  experience  with  Alice,  Bob  cheats  me,  ... 
-As  examples  show,  increases  and  decreases 
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Dependencies  and  Independence 


•  Trust  is  often  based  on  assumptions  of  trust 

-  This  creates  a  chain  of  dependencies 

-  See  Thompson,  “Reflections  on  Trusting  Trust” 

•  Most  SW  systems  assume  HW  trusted 

-  “FPGA  Viruses”,  Hazdic,  Udani,  Smith,  FPL  ‘99 

-“Overcoming  an  Untrusted  TCB”,  Hicks, 
Finnicum,  King,  Martin,  Smith,  S&P  ’10 

•  Desiderata:  Independent  attestation 

-Thinking  Bayes:  Pr(good)  =  1- 
Pr(bad1)*P/tbad2)*... 
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Blaze,  eta I.,  “Trust  Management”  supports 
dependent  and  independent  trust 
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DISTRIBUTED  authorization  and  compliance  checking 

Policies  may  be  dynamically  introduced  by  multiple  authorities 
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Dynamic  Trust  Management 


February  2009  (vol.  42  no.  2) 

pp.  44-52 


^  Penn 
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Matt  Blaze.  University  of  Pennsylvania 

5am path  Hannan.  University  of  Pennsylvania  — 

Insup  Lee.  University  of  Pennsylvania 

Oleg  Sokolskv.  University  of  Pennsylvania 

Jonathan  M.  Smith.  University  of  Pennsylvania  :\y 

Angelos  &.  KeromvEis..  Columbia  University 

Wenke  Lee.  Georgia  Institute  of  Technology 


Root  of  Trust  -  Arbaugh’s  AEGIS  (Oakland  ‘97) 
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Level  0 
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Evidence  of  Trust 


•  Multiple  independent  sources  for  attestation 

-  E.g.,  voting  TPMs  with  secured  access  (crypto) 

•  Minimal  dependent  sources 

-  Rely  as  much  as  possible  on  differential  integrity 

-  Secure  Boot  on  TPM 

•  Robust  integrity  checks 

-  Chaining  Layered  Integrity  Checks 

•  Dynamics  -  situational  awareness 

•  Recovery  strategies  using  independence 
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Quantitative  Trust  Management  (Eurosec  ’09) 
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